Displaying 1 result from an estimated 1 matches for "mrfredtr".
2010 Sep 21
7
Ajax CSRF in Rails3
I''m using rails3. It does not seem to check the authenticity_token
when doing a POST using Ajax. I traced this to:
module ActionDispatch
class Request < Rack::Request
.....
def forgery_whitelisted?
get? || xhr? || content_mime_type.nil? || !
content_mime_type.verify_request?
end
end
so you don''t check if its a get? or a xhr? (ie ajax request). Is this
correct?
--